This detection rule monitors for the creation of PFX files, which are often used for transporting certificates and their private keys. Such activity could point to potential malicious behavior, specifically unauthorized attempts by an adversary to export certificates into a PFX file format. The rule is implemented to filter file creation events on Windows systems, focusing specifically on any files ending in the .pfx extension. It utilizes Sigma format that allows it to be adaptable across different SIEM solutions. Users should note that legitimate activities, such as system administrators exporting certificates from a management perspective, may trigger false positives, hence it's crucial to analyze contextual clues surrounding the file creation events. Thresholds should be configured to minimize the impact of false positives while maintaining detection efficacy against certificate-based attacks.